Is there any security (or perhaps plans to add security) within the fileserver to verify that clients are only able to receive files specified in the manifests on the server? I''d like to distribute different Kerberos keytabs to different nodes such that nodes www01 and www02 can retrieve different files from nodes www03 and www04. Any ideas on how best to approach this problem? Thanks, Christian
On Fri, 2006-09-01 at 11:14 -0700, Christian G. Warden wrote:> Is there any security (or perhaps plans to add security) within the > fileserver to verify that clients are only able to receive files > specified in the manifests on the server? > > I''d like to distribute different Kerberos keytabs to different nodes > such that nodes www01 and www02 can retrieve different files from nodes > www03 and www04. Any ideas on how best to approach this problem?I can''t speak for the larger puppet project, but David L is working on some changes which allow for easier configuration of the fileserver module. Specifically it will be possible to specify hostname substitution (short or fqdn) within the fileserver configuration file. The net effect is you can implement per-host secured areas without having to list every host in the fileserver configuration. The stateless linux project plans to use that capability to allow puppet to manage per-host secrets such as private SSH keys for stateless clients. It''s not exactly what you''re looking for, but it might be something you can extend to your needs. jeff
Christian G. Warden wrote:> Is there any security (or perhaps plans to add security) within the > fileserver to verify that clients are only able to receive files > specified in the manifests on the server? > > I''d like to distribute different Kerberos keytabs to different nodes > such that nodes www01 and www02 can retrieve different files from nodes > www03 and www04. Any ideas on how best to approach this problem?I''m not going to claim that it''s the most manageable system in the world at the moment, but you can do that today. I think the only way to do it right now is to have different mounts for the different set of files: [set1] path /path/to/some/files allow www01 allow www02 [set2] path /path/to/other/files allow www03 allow www04 David Lutterkort has just provided code that supports %h and %H replacements, so you can provide individual hosts access: [keytabs] path /path/to/per-host/keytabs/%H allow * The %H gets replaced with the host''s FQDN, so only that host can see the files. This code will only be available in the next release, and it''s my plan to get that out this weekend. I''d also like to have the fileserver support allow/deny by class, so that you could use puppet classes to determine host access. This is a ways off, though, and will almost certainly require the database used in export/collect. -- It''s not that I''m afraid to die. I just don''t want to be there when it happens. -- Woody Allen --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
On Fri, Sep 01, 2006 at 12:28:02PM -0600, Jeffrey Law wrote:> On Fri, 2006-09-01 at 11:14 -0700, Christian G. Warden wrote: > > Is there any security (or perhaps plans to add security) within the > > fileserver to verify that clients are only able to receive files > > specified in the manifests on the server? > > > > I''d like to distribute different Kerberos keytabs to different nodes > > such that nodes www01 and www02 can retrieve different files from nodes > > www03 and www04. Any ideas on how best to approach this problem? > I can''t speak for the larger puppet project, but David L is working > on some changes which allow for easier configuration of the fileserver > module. > > Specifically it will be possible to specify hostname substitution > (short or fqdn) within the fileserver configuration file. The net > effect is you can implement per-host secured areas without having to > list every host in the fileserver configuration. > > The stateless linux project plans to use that capability to allow > puppet to manage per-host secrets such as private SSH keys for > stateless clients. > > It''s not exactly what you''re looking for, but it might be something > you can extend to your needs.Thanks, Jeff. Is this different from the use of of %h and %H in the fileserver.conf as described in the docs[1]? I''m thinking maybe I can use puppet to create symlinks for the hosts on the file server. 1. http://reductivelabs.com/projects/puppet/documentation/fsconfigref.html Christian
On Fri, 2006-09-01 at 11:57 -0700, Christian G. Warden wrote:> Thanks, Jeff. Is this different from the use of of %h and %H in the > fileserver.conf as described in the docs[1]? I''m thinking maybe I can > use puppet to create symlinks for the hosts on the file server. > > 1. http://reductivelabs.com/projects/puppet/documentation/fsconfigref.htmlIt''s the same.. I think the support %h/%H support just went into the development tree a few days ago. jeff
Christian G. Warden wrote:> > Thanks, Jeff. Is this different from the use of of %h and %H in the > fileserver.conf as described in the docs[1]? I''m thinking maybe I can > use puppet to create symlinks for the hosts on the file server.This is not yet released, but will be shortly. -- Computers are not intelligent. They only think they are. --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com